WordPress Plugin Vulnerabilities

Joy Of Text Lite – SMS messaging for WordPress <= 2.3.1 - Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
joy-of-text
No known fix

References

CVE
CVE-2024-7984
URL
https://docs.google.com/document/d/1-H-D1NIqFa9Thqla6XE0b_ZwO3FjTjmD9bkS2gs8da0/edit?usp=sharing

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Guru Raghav Saravanan
Submitter
Guru Raghav Saravanan
Submitter website
https://nerdzspot.vercel.app/
Verified
Yes
WPVDB ID
07684ecb-5662-4412-8190-7957cfcf7bd3

Timeline

Publicly Published
2024-07-11 (about 1 year ago)
Added
2024-09-13 (about 1 year ago)
Last Updated
2024-09-13 (about 1 year ago)

Other

Published
Title
Published
2025-05-02
Title
occupancyplan <= 1.0.3.0 - Cross-Site Request Forgery to SQL Injection
Published
2023-10-25
Title
Custom Header Images <= 1.2.1 - Cross-Site Request Forgery
Published
2023-06-15
Title
WooCommerce Stock Manager < 2.11.0 - Cross-Site Request Forgery
Published
2023-08-16
Title
Enhanced Ecommerce Google Analytics for WooCommerce < 3.7.2 - CSRF
Published
2025-04-09
Title
WordPress Events Calendar Plugin – connectDaily < 1.5.5 - Stored XSS via CSRF